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The Information Commissioner’s response to the Department for 
Business, Energy & Industry Strategy’s consultation on the Warm 
Home Discount: better targeted support from 2022 


About the ICO 


1. The Information Commissioner has responsibility for promoting and 
enforcing the UK General Data Protection Regulation (UK GDPR’), the Data 
Protection Act 2018 (‘DPA’), the Freedom of Information Act 2000 (‘FOIA’), 
the Environmental Information Regulations 2004 (‘EIR’) and the Privacy 
and Electronic Communications Regulations 2003 (‘PECR’). 


2. She is independent from government and upholds information rights in the 
public interest, promoting openness by public bodies and data privacy for 
individuals. The Commissioner does this by providing guidance to 
individuals and organisations, solving problems where she can, and taking 
appropriate action where the law is broken. 


Introduction 


3. The Information Commissioner’s Office (ICO) welcomes the opportunity to 
respond to this Department for Business, Energy & Industrial Strategy 
(BEIS) consultation on the Warm Home Discount (WHD): better targeted 
support from 2022. Whilst this consultation is largely focused on the 
financial and technical elements of the WHD scheme, this response focuses 
on the data protection and privacy considerations of the scheme, in line 
with the Commissioner’s remit. 


4. The UK GDPR and DPA enable fair and proportionate processing of data, 
and the ICO recognises that there are important societal benefits that can 
arise from the use of personal data, such as assisting those in fuel poverty. 
Using data responsibly is vital to prevent harm as well as to secure and 
retain the public’s trust and confidence. 


5. The ICO previously responded to a BEIS consultation on the WHD for 
2021/22 and notes the proactive and continued engagement with BEIS 
regarding the WHD. We recommend that those areas outlined in our 
previous response continue to be considered for the WHD from 2022 
onwards. 
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Data matching and sweep up 


6. The ICO understands that BEIS propose replacing the current ‘Broader 
Group’ with a new ‘Core Group 2’ in order to better target support, remove 
the first-come, first-served nature of this Group and enable recipients to 
receive the WHD automatically, rather than having to apply. The ICO notes 
that in order to administer the ‘Core Group 2’ rebate, BEIS propose 
matching data from various sources, including from DWP, HMRC and the 
Valuation Office Agency (VOA), as outlined on page 17 of the consultation. 


7. The ICO supports the use of Government data in the public interest, to 
assist those in fuel poverty. However, where such use of Government data 
includes personal data, any processing must comply with data protection 
legislation. Data protection legislation enables legitimate and responsible 
data sharing and data matching, but the tools that are used need to be fit 
for purpose and proportionate in order to respect individuals’ rights. The 
consultation proposes using special category data to assess potential 
eligibility for the WHD, such as whether an individual is in receipt of a 
health-related benefit such as Personal Independence Payment or Disabled 
Living Allowance. Additional protection is needed for this and any other 
special category data that will be processed, due to its use creating 
significant risks to individuals’ fundamental rights and freedoms. 


8. BEIS, alongside all other parties involved in the data matching and sweep 
up process, will need to establish and set out their respective 
responsibilities and the nature of their relationship. This will require 
appropriate documentation for the relationship, such as a transparent 
arrangement for a joint controller relationship or a written contract if there 
is a controller-processor relationship.! The ICO has produced guidance on 
controllers and processors to assist with this process. The ‘ICO’s Data 
Sharing Code of Practice’ section of this response also provides further 
guidance in respect of any sharing undertaken as part of the data matching 
process. 


9. As part of the data matching and sweep up process, the ICO welcomes the 
provision for individuals to submit their own evidence to prove their WHD 


eligibility, particularly bearing in mind the limitations acknowledged in the 
consultation in respect of the accuracy and completeness of the VOA data. 


1 As per the requirements in Articles 26 and 28 of the UK GDPR. 
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10. BEIS should ensure that alternative evidence accepted from 
consumers is not limited to the evidence listed in the consultation such as 
Energy Performance Certificates but includes ‘relevant’ data, with a holistic 
approach being taken and guidance being given to individuals on what may 
be classed as relevant. DWP will need to provide this clarity to ensure that 
it only receives the evidence it needs and does not collect more data than 
is necessary. This will assist compliance with the UK GDPR Article 5(1)(c) 


data minimisation principle. 


Additionally, it is important that data subjects are aware that providing 
personal data, that will be used to assess their eligibility, may result in 
confirmation that they do not qualify for the WHD. 


Automated decision making 


11. As mentioned in the ICO’s previous response to WHD proposals for 
2021-2022, it appears that the Core Group, as well as the new Core Group 
2, are identified through a process of data matching, with data provided 
from a variety of sources, such as DWP and the VOA. From the 
consultation, it appears that this constitutes solely automated processing, 
as defined in Article 22 of the UK GDPR. Article 22 states that data subjects 
have the right not to be subject to a decision based solely on automated 
processing, including profiling which produces legal effects concerning 
them, or similarly significantly affects them. 


12. Organisations can only carry out this type of processing if they can 
rely on one of the three exceptions set out in Article 22(2), but it is not 
clear from the consultation which exception BEIS are relying on, so further 
clarity if this applies. The ICO has produced detailed guidance on the data 
protection requirements when using solely automated decision making that 
may be of use in determining if one of the three exceptions applies in 
relation to any of the individuals eligible under the Core Group or Core 
Group 2. 


13. In particular, individuals must be informed of the use of their 
personal data for solely automated decision-making with legal or similarly 
significant effects. They must also be provided with meaningful information 
about the logic involved and what the likely consequences are. In this 
instance, this may mean, for example, that they are able to phone a 
Helpline or provide alternative evidence to prove their WHD eligibility. 
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Accuracy of data 


14. The ICO welcomes DWP'’s intention to process data in a way that 
results in a more accurate identification of those eligible for the WHD. This 
aligns with the accuracy principle under Article 5(1)(d) of the UK GDPR, 
which requires that data remains accurate and up to date. 


15. As the consultation proposes matching data from various sources, it 
is crucial that consideration is given to how data will be kept up to date, 
and how any changes will be reflected throughout the process, to ensure 
that no harm or detriment is faced by data subjects. For example, if an 
individual moves home and updates their address with DWP, how will this 
be reflected in the data that BEIS process, bearing in mind the address is 
matched with VOA data on the property where an individual resides? This is 
particularly important when those eligible for the WHD may be more likely 
to experience insecure housing arrangements. 


Accountability 


16. Accountability is an important aspect in engendering public trust and 
confidence, and the ICO has published an accountability framework to help 
organisations demonstrate their compliance. The ICO highlights the 
importance of adopting a data protection by design and default approach to 
ensure that any risks in the processing of personal data for implementing 
the WHD are appropriately mitigated against and appropriate safeguards 
are put in place. 


17. A data protection impact assessment (DPIA) is a tool to help 
controllers ensure that they are processing personal data in a manner that 
is compliant with the data protection legislation. A DPIA must be carried 
out before any type of processing that is “likely to result in a high risk” to 
the rights and freedoms of individuals. 2 


18. Article 35(3)(a) of GDPR notes that any systematic and extensive 
evaluation of personal aspects which is based on automated processing and 


on which decisions that produce legal effects or similarly significantly affect 
the individual, a DPIA must be undertaken. Therefore, the proposals for the 


2 Article 35(1) of the UK GDPR. 
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Core Group and Core Group 2 are likely to be within scope of this 
requirement, due to recipients automatically receiving the WHD following 
the data matching exercise. 


19. There are also European guidelines to help controllers identify other 
high risk processing. Whilst these are no longer directly relevant to, or 
binding under the UK regime, they may still provide helpful guidance. As 
required by Article 35(4), the ICO has published a list of operations that 
require a DPIA, which complements and further specifies the criteria 
referred to in the European guidelines. One of the operations under Article 
35(4) that automatically requires a DPIA is the matching, combining or 
comparing of data from multiple sources. In the ‘Data matching and 
sweep-up’ section of the consultation, proposals include data matching with 
a larger cohort of energy suppliers, the VOA and HMRC. Such data 
matching is within scope of the aforementioned processing operation under 
Article 35(4). It is therefore likely that a DPIA will need to be undertaken 
before this processing is carried out. 


20. DPIAs enable controllers to map the flow of data through an entire 
process lifecycle, including the various organisations involved. This enables 
all risks to be identified and the opportunity for these to be mitigated prior 
to processing. If a high risk to data subjects is identified through a DPIA, 
which cannot be sufficiently mitigated, the controller must consult with the 
ICO under Article 36(1) of the UK GDPR prior to the high risk element of 
the processing being carried out. The ICO has produced general guidance 
as well as detailed guidance on when DPIAs are legally required, and how 
such assessments should be undertaken, to assist controllers with their 
obligations. 


21. Considering and mitigating the potential privacy risks at the earliest 
stage of the proposals from 2022 onwards will help ensure that both 
individuals and organisations can realise the benefits of the WHD in a way 
that takes account of privacy risks, integrates appropriate safeguards into 
the processing and helps controllers fulfil their accountability obligations. 
This is particularly important when the processing relates to vulnerable 
individuals. 


ICO’s Data Sharing Code of Practice 
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22. The data protection legislation obliges the Information Commissioner 
to produce a statutory code of practice. The code has been laid before 
Parliament, and should be taken into account by all organisations involved 
in sharing personal data in relation to the WHD. 


23. This not only applies to the sharing of personal data between 
government agencies such as BEIS, DWP and VOA for those in the Core 
Group and Core Group 2 but also for the sharing between energy suppliers 
and other organisations, such as charities, in relation to those individuals in 
the Industry Initiatives group. Adhering to the Code will help ensure good 
practice around data sharing and help to manage risks associated with 
sharing information, including the parties’ approach to matters such as 
cybersecurity. Following the Code and adopting its practical 
recommendations will help to give organisations confidence to collect and 
share personal data in a way that is fair, transparent and in line with the 
rights and expectations of the people whose information is being shared. 


24. The consultation outlines in the ‘Supplier participation’ section that a 
staged approach is proposed, which will, over time, increase the number of 
energy suppliers participating in the WHD scheme. As the number of 
organisations involved increases, it is important that clear guidance and 
information is provided to all suppliers on their data protection obligations 
as part of the scheme. Additionally, BEIS will need to consider how to 
ensure new and existing suppliers meet these requirements prior to sharing 
data, potentially as part of any pre-contractual checks. 


Transparency 


25. Transparency is a key component of fairness as well as a legal 
requirement under Article 5(1)(a) of the UK GDPR. Additionally, the 
requirement to provide privacy information is a fundamental right under 
Articles 13 and 14 of the UK GDPR. It is therefore crucial that privacy 
information is available and accessible to all individuals whose data will be 
processed in the administration of the WHD, including those who are 
deemed ineligible. The ICO has published guidance on the right to be 
informed that will assist controllers in meeting these requirements. 


26. When processing information, including from any vulnerable 


individual, organisations must make sure they treat them fairly. This 
means drafting privacy information appropriate to the level of 
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understanding of the intended audience and, in some cases, putting 
stronger safeguards in place. Particular care should be taken to ensure 
individuals understand the purpose for which data will be processed and 
the extent of this. Data should not be processed in a way which data 
subjects would not reasonably expect. 


27. As already mentioned, individuals have the right to receive details of 
the existence of solely automated decision-making if this applies. They also 
need to receive information about their data protection rights and how to 
assert these, including (but not limited to) how to have incorrect data 
rectified. 


28. It is often most effective to provide privacy information using a 
combination of techniques, including layering and dashboards. Careful 
consideration should be taken about the format that the most appropriate 
in the circumstances, particularly in relation to vulnerable individuals. 
Privacy information must be regularly reviewed to ensure that any new use 
of an individual's personal data is brought to that individual’s attention 
before the processing begins, so any information currently provided in 
respect of the WHD scheme must be updated prior to any new processing. 


Security of personal data 


29. Article 5(1)(f) of the UK GDPR requires that personal data is 
processed “in a manner than ensures appropriate security” and that 
controllers should use “appropriate technical or organisational measures” to 
achieve this. The proposal to match data from various sources, coupled 
with the increase in energy suppliers due to participate in the WHD scheme 
from 2022 onwards, means that the volume of personal data that will be 
processed is likely to increase significantly. Therefore, care must be taken 
to ensure it is held and processed securely. 


30. Article 32(1) details the considerations that organisations must take, 
including but not limited to the state of the art, the costs of implementation 
and the risk of varying likelihood and severity for the rights and freedoms 
of individuals. The level of security should be appropriate to the level of 
risk and should be documented in the DPIA. The ICO has produced 
guidance on security that may be of use in determining what is appropriate 
in the circumstances outlined in the consultation. 
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Legislative consultation 


3i. The consultation, aimed at better targeting the support provided 
through the WHD, proposes legislative changes. Therefore, under Article 
36(4) of the UK GDPR, BEIS will need to consult with the ICO during the 
preparation of these legislative proposals. 


32. Article 36(4) requires government departments and relevant public 
sector organisations to formally consult with the ICO during the preparation 
of policy proposals for statutory or legislative measures that relate to the 
processing of personal data. DCMS have produced guidance on the 
application of Article 36(4) that will be of use in meeting this obligation. 

Conclusion 

33. The ICO is happy to provide further input on these matters and 
welcomes further engagement from BEIS on these proposals. We look 
forward to receiving an A36(4) consultation on changes to the legislation. 

Information Commissioner’s Office 


August 2021 
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